What is good enough protection?
I have been blessed in my career to work across a wide range of industries developing and introducing a wide range of products, usually on the cutting edge of technology. Oh, the stories we could share. From covert sensors to detect the undetectable, to communication gear capable of working where nothing else does, to handheld surveillance aircraft, I have had my share of fun.
There were some common threads in every project though, regardless of the technology or customer. Someone always wanted it faster with just a few more features and my development teams always had to make tough choices between ‘good enough’ and ‘the best’ performance.
For some of this fun, I had to have a security clearance. It goes with the territory. Most non-government people have never heard of an SF-86 form but it is the amazingly long, graphically detailed summary of your life. The government wants it all – work history, family history, where you have lived, who you associate with, and anything along the way that could be construed as embarrassing. You write it all down, submit it to the government investigators, and they determine if you are a worthwhile risk to entrust secrets. You submit your biometrics, your health data, your social security and asset data. It is an identity thief’s gold mine, but to be honest, most of us never gave that a thought.
After we receive clearance approval, most of us never think about that form again until renewal time. I guarantee you very few, if any, ever thought of that data getting hacked. We assumed that every precaution would be taken. That ‘good enough’ would not be the test metric. That OPM would test, and retest and retest again to ensure that data was safe at any cost. Actually, most of us assumed that the data would be kept completely offline to ensure its safety. We were wrong.
Today I got my notice from OPM in the mail. My data was part of the pool that was stolen. There was no disclosure of what was stolen. Was it just my login info or my entire form? Was my entire form stolen or just parts? Were my biometrics stolen because those are good forever? Was data on my family part of what was ‘lost’ because that would mean my kids are just as vulnerable?
No details, just a simple apology form letter and an offer to provide me with three years of identity theft protection insurance. Not sure how that helps, exactly. This one hack could impact me the rest of my life. It could impact my kids after I am gone. And it seems no one is to blame.
On the same day, SC Magazine ran an in-depth article titled, “Top Priority: Federal Government must get cyber security right,” on this same subject and current state of “digital hygiene” within government security. A great update, but no real reassurances.
I am told I am allowed to be mad but I am not allowed to be mad at anyone specifically. It creates a strange feeling of helplessness. It also raises a real question: What is good enough when it comes to testing and monitoring any application holding our data? It is, after all, still our data, right??